Cyber Incident Victim: Philadelphia Inquirer

On Thursday, May 11, 2023, the Philadelphia Inquirer was first alerted to anomalous activity on its computer systems by Cynet, a vendor that manages the news organization's network security. This initial alert did not result in any immediate disruption to the publication's operations, and newspapers were printed and distributed normally on both Thursday and Friday. The situation escalated significantly on the morning of Saturday, May 13. The skeleton crew working over the weekend discovered that access to the Philadelphia Inquirer’s content management system was down. In response to this discovery, the organization issued a statement confirming it had discovered anomalous activity on select computer systems and had immediately taken those affected systems offline.

The immediate impact of taking these systems offline was a major disruption to the newspaper's core operations. The organization found itself unable to print its regular Sunday newspaper edition. As a workaround, the early edition of the Sunday paper, which had been composed on Friday, was printed and distributed to subscribers. The regular Sunday edition was made available solely through the digital replica known as the e-edition. Within a few hours of the system takedown, additional workarounds were established to allow news articles to continue being posted and updated on Inquirer.com, though sometimes at a slower pace than normal.

The disruption continued throughout Sunday, May 14. As of that day, it remained unclear when the newspaper's systems would be fully restored. Publisher Lisa Hughes, communicating through a spokesperson via email, stated that the company was unable to provide an exact timeline for full restoration. The incident was noted as the greatest disruption to publication for Pennsylvania’s largest news organization since a blizzard in January 1996. The timing was particularly sensitive as it occurred just days before the city's mayoral primary election scheduled for Tuesday, May 16.

By late Sunday afternoon, it was confirmed that it would be possible to print the Monday editions of The Inquirer and the Daily News. However, Hughes announced that classified advertisements, including death notices, would be postponed from appearing in the print newspapers until Wednesday out of an abundance of caution. There were no plans to issue refunds to subscribers as they had received the early Sunday papers and the electronic edition. The company also implemented a mandatory remote work policy, informing employees that they would not be allowed into The Inquirer’s offices through at least Tuesday due to the ongoing disruptions. The company was looking into securing coworking space for Tuesday so that journalists could cover the election, though they would be unable to use their own newsroom. Hughes stated that the situation would not affect the paper's election coverage.

In terms of response, the company engaged its external cybersecurity vendors. Cynet, which was already managing network security and provided the initial alert, was involved. Additionally, the company brought in another firm, Kroll, to specifically respond to the incident and conduct the investigation. The Philadelphia Inquirer also notified the Federal Bureau of Investigation (FBI) about the incident. A spokesperson for the FBI’s Philadelphia office acknowledged awareness of the incident but declined to comment further, noting it is customary for the FBI to offer assistance when learning of potential cyber attacks.

The ongoing investigation prevented the publisher from answering many detailed questions about the nature and scope of the attack. Hughes could not confirm who was behind the incident or what their motivations were. She also could not state whether attackers had successfully breached Inquirer systems, which specific systems were involved, or whether The Inquirer or any employees appeared to be specifically targeted. The question of whether any confidential information belonging to employees or subscribers was accessed also remained unanswered pending the investigation. Hughes vowed that the company would “notify and support” anyone whose personal data may have been affected, should the investigation determine that such a breach occurred.

The incident raised questions about the newspaper's cybersecurity posture. It was reported that The Inquirer does not require multifactor authentication for many of its key systems. Multifactor authentication is a standard security practice that requires users to provide a password and then respond to another prompt, such as a text message, making it more difficult for attackers to gain access even with a stolen password. The organization had also been the target of spear-phishing campaigns in the past, where employees received fake emails or text messages appearing to come from leadership like Hughes herself. These attacks can trick victims into opening malicious files or being scammed.

The Philadelphia Inquirer had invested in digital security in recent years, a effort that was accelerated by the need to support remote work during the COVID-19 pandemic. This investment included adding monitoring software to company-owned equipment. The company also conducts regular security audits, with Cynet handling the network security function. When asked whether the vulnerability exploited in this incident had been previously flagged in these audits or testing, Hughes stated that it had not. The specific technical cause of the disruption and the exact entry point used by the attackers remained under investigation by Kroll and other experts. The event highlighted the growing threat of cyberattacks against news organizations, which can be prized targets for hackers seeking to access reporters' notes, leak internal communications, publish misinformation, or simply wreak havoc in a highly visible manner.